At times you may be reported by users about Symantec Client tray icon Notification "[SID: <pid number> Attack: SMB Double Pulsar..]"
Similiar as below
First measure no need to panic your machine is secure by Symantec Endpoint Protection. Second step is to trace source of attack. As primary suspect one of network machines seems to be reason of attack to trace that machine SEPM Logs or Monitor Summary can assist us.
Option 1. SEPM Console GUI : Monitors → Summary (Tab) → Network and Host Exploit Mitigation (drop down) → Top Sources of Attack (frame)
Option 2. SEPM Logs : Monitors → Logs (Tab) → Log Type 'Network and Host Exploit Mitigation' → Log Content 'Attack' → View Log (Button) Extract Logs to spreadsheet and filter on column 'Event Description' for two selections
Find unique 'Remote Host IP'
Third Step is to clean source machines with infection. DIsconnect machines and install SEP if not present and update with latest definition. Full scan for cleaning infection. It may ask for restart of machine.
Many thanks for the good advice, Ashish!
It is crucial that all endpoint within the organization have all MS patches applied. Malware cannot exploit the EternalBlue vulnerability if it is patched.
Also: ensure that SMB is blocked at the corporate firewall! No incoming SMB traffic from random Internet addresses should be allowed through to the endpoints.
Those two measures should elimiate these IPS events in the organization.
I would suggest to look for remote host. Start one by one to trace and check them. If count is in single digit, corrective action can be done manually. If count is more first thing to ensure SEP is installed on each and make a seperate group for all such machines to more control on same.
We have since some days an attach every 10 Minutes with SID: 21331 Attack: SMB Double Pulsar.
The Remote Host is every time an other. And the server and all clients are clean (full scan).
What can i make to prevent this attacks?
Sincerely